[Swan-dev] libreswan 3.9rc1 Release Candidate: please test!
Bernhard Held
berny156 at gmx.de
Sun Jul 6 23:57:31 EEST 2014
Am 06.07.2014 03:15, schrieb Paul Wouters:
> On Sat, 5 Jul 2014, Bernhard Held wrote:
>
>> I'm applying the attached patch to turn the "connection list" message
>>
>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>> pfsgroup=MODP2048(14)
>> ESP algorithms loaded: none
>>
>> into:
>>
>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>> pfsgroup=MODP2048(14)
>> ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
>>
>> The problem is that kernel_alg_esp_enc_ok() is called several times
>> with key_len = 0, which causes a failure of the check of the AES_GCM
>> key length. A few lines further down in kernel_alg_esp_enc_ok() a
>> comment even tells us that "if key_len specified, it must be in
>> range". This is what my patch is introducing for the first test too.
>>
>> It's just a cosmetic problem, libreswan can establish a SA. However,
>> it's very misleading and makes finding the right key length pretty hard.
>
> I ran into the same issue and had included a patch for it as well:
>
> https://github.com/libreswan/libreswan/commit/2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
>
>
> commit 2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
> Author: Paul Wouters <pwouters at redhat.com>
> Date: Thu Jul 3 12:37:21 2014 -0400
>
> kernel_alg_esp_enc_ok(): improve key size handling
>
> - If ealg is not registered, don't return "ok" (also already spotted
> by Hugh)
> - If key_len is specified, enforce some size restrictions
> (this duplicates code elsewhere and should be split off in a
> separate function)
>
> Paul
Ok, I missed this one.
The support and maintenance of libreswan & xl2tpd are outstanding.
Thanks a lot for the excellent work!
Bernhard
More information about the Swan-dev
mailing list